summaryrefslogtreecommitdiff
path: root/roles/vm/host/tasks/network.yml
blob: 802ffd8b88a5982ca41408775f16d9883e29ed09 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
---
- name: create network bridges
  when: "'bridges' in vm_host.network"
  block:
    - name: generate bridge interface config
      loop: "{{ vm_host.network.bridges | default({}) | dict2items }}"
      loop_control:
        label: "{{ item.key }}"
      copy:
        dest: "/etc/network/interfaces.d/br-{{ item.key }}"
        content: |
          {% set bridge_name = 'br-'+item.key %}
          {% set bridge = item.value %}
          {% set interface = (network.interfaces | selectattr('name', 'eq', bridge_name) | first | default({})) %}
          auto {{ bridge_name }}
          {% if 'address' in interface %}
          iface {{ bridge_name }} inet static
            address {{ interface.address | ipaddr('address') }}
            netmask {{ interface.address | ipaddr('netmask') }}
          {%   if 'gateway' in interface %}
            gateway {{ interface.gateway }}
          {%   endif %}
          {% else %}
          iface {{ bridge_name }} inet manual
          {% endif %}
          {% if 'interfaces' in bridge and (bridge.interfaces | length) > 0 %}
            bridge_ports {{ bridge.interfaces | join(' ') }}
          {% else %}
            bridge_ports none
          {% endif %}
            bridge_stp off
            bridge_waitport 0
            bridge_fd 0
            up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
            up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/autoconf
            up modprobe br_netfilter
            up /sbin/sysctl net.bridge.bridge-nf-call-iptables=0
            up /sbin/sysctl net.bridge.bridge-nf-call-ip6tables=0
            up /sbin/sysctl net.bridge.bridge-nf-call-arptables=0
          {% if 'address' in interface and 'prefix' in bridge %}
          {%   if 'nat' in bridge and bridge.nat %}
            up echo 1 > /proc/sys/net/ipv4/conf/$IFACE/forwarding
            up echo 1 > /proc/sys/net/ipv4/conf/{{ ansible_default_ipv4.interface }}/forwarding
            up /sbin/iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ bridge.prefix }} -j SNAT --to {{ ansible_default_ipv4.address }}
          {%   endif %}
          {%   if 'overlay' in bridge %}
          {%     for dest, offset in (bridge.overlay.offsets | dictsort(by='value')) %}
            up /bin/ip route add {{ (bridge.overlay.prefix | ipaddr(offset)).split('/')[0] }}/32 via {{ (bridge.prefix | ipaddr(bridge.offsets[dest])).split('/')[0] }}  # {{ dest }}
          {%     endfor %}
            up /bin/ip route add unreachable {{ bridge.overlay.prefix }}
            down /sbin/ip route del {{ bridge.overlay.prefix }}
          {%   endif %}
          {%   if 'nat' in bridge and bridge.nat %}
            down /sbin/iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -s {{ bridge.prefix }} -j SNAT --to {{ ansible_default_ipv4.address }}
          {%   endif %}
          {% endif %}
          {% if 'address6' in interface %}

          iface {{ bridge_name }} inet6 static
            address {{ interface.address6 }}
          {%   if 'gateway6' in interface %}
            gateway {{ interface.gateway6 }}
          {%   endif %}
          {% endif %}
      register: vmhost_bridge_config

    ## We don't try to be to clever here: aka don't call ifdown before ifup because
    ## if there are VMs running they would end up with a broken network
    - name: bring up bridge interfaces
      loop: "{{ vmhost_bridge_config.results }}"
      loop_control:
        label: "br-{{ item.item.key }}"
      when: item is changed
      command: "/sbin/ifup br-{{ item.item.key }}"
      failed_when: false